How to configure an Exchange mailbox for anonymous access (195681)


The information in this article applies to:

  • Collaboration Data Objects (CDO) 1.21
  • Collaboration Data Objects (CDO) 1.1
  • Collaboration Data Objects (CDO) 1.2
  • Microsoft Exchange Server 5.5
  • Microsoft Windows NT 4.0
  • Microsoft Internet Information Server 4.0
This article was previously published under Q195681

SUMMARY

This step-by-step article describes how to configure a Microsoft Internet Information Server (IIS) that uses anonymous authentication to access a Microsoft Exchange Server mailbox. The primary purpose of this task is to allow for users who do not have an NT account on the network to send mail by using an Exchange Server.

The problem that you face is that Exchange requires an NT account against which to authenticate a user before Exchange gives access to any server resources. For an Internet application in which you grant anonymous access to your Web site, you must configure IIS and Microsoft Exchange Server to be able to send mail from an "anonymous" Exchange mailbox.

Configuring an NT account

The following steps assume that you have the required permissions for adding new users to the selected domain.
  1. Open the User Manager for Domains.
  2. Note the domain in the title bar of the application. If this domain is not the domain to which you want to add a new user, select "Select Domain" from the User manager. Whatever domain is named in the title bar of the application will replace "YourDOMAIN" throughout this example.
  3. On the User menu, click New User. Set the following properties: 
          Username:          AnonUser
      Full Name:         Anonymous User
      Description:       For anonymous Web access
      Password:          Fill in an appropriate password
      Confirm Password:  Repeat password

      User Must Change
      Password at Next
      Logon:             OFF

      User Cannot
      Change Password:   ON*

      Password Never
      Expires:           ON*

      Account Disabled:  OFF

      Groups -
        Member of:       Domain Users and Domain Guests
        Profiles:        User Profiles or Home Directory settings
                         are not required.
        Hours:           No settings are required
        Logon to:        Set as appropriate

      Account
        Account Expires:  Never
        Account Type:     Global Account for regular user accounts
                          in the domain
      Dial-in
        Grant dialin
        permissions
        to user           OFF

      Call Back           No Call Back
    Note You may set these values to OFF. If you set these values to OFF, you must make sure that you keep the password that IIS has synchronized with the password that the NT account has.
  4. Click Add. If you have configured your server to automatically create an Exchange account, the Exchange User Properties dialog box appears.
  5. If the dialog box does not appear, you must open Microsoft Exchange Administrator and create a new mailbox. Follow the steps in the next section for setting up this mailbox.
  6. Before or after you create the new mailbox, click User Rights on the Policies menu in the User Manager.
  7. In the drop-down list, click Log on Locally
  8. Click Add, and then add the AnonUser user. The user who you created now has user rights to log on locally to the Server Running IIS.

Configuring a mailbox

Open your Microsoft Exchange Administrator and then configure a new mailbox by following these steps. These steps assume that you have the required permissions on Microsoft Exchange Server to create new mailboxes.
  1. On the File menu, click New Mailbox. If you already have the Exchange User Properties dialog box, go to step 2.
  2. On the General tab, fill in the following properties: 
          First Name:          Anonymous
      Last Name:           User
      Display:             Anonymous User
      Alias:               AnonUser
      Primary NT Account:  YourDOMAIN\AnonUser
    Note in this list, the primary NT Account indicates the domain and the user account that you configured in the "Configuring an NT account" section.

Configuring the virtual directory

  1. Start the Internet Service Manager Microsoft Management Console (MMC).
  2. Right-click the Web site from which you want to allow for anonymous mail to be sent.
  3. Click the Directory Security tab.
  4. Click Edit under Anonymous Access and Authentication Control.
  5. Click Allow Anonymous, and then click Edit.
  6. Click to clear the Enable Automatic Password Synchronization check box.
  7. Enter the DOMAIN\UserID in the box, such as YourDOMAIN\AnonUser. This value should be the domain account that you that you created in this article.
  8. Enter the password of the user in the Password box, and then re-enter the password.
  9. Click OK until you have closed all dialog boxes.

How it works

Your system should now be configured to allow for an anonymous user to send mail from your Exchange server. When a user accesses the Web, the following events occur:
  1. IIS determines that Anonymous authentication is being used. IIS assigns the new session to the account that you specified when you configuring the virtual directory, such as "YourDOMAIN\AnonUser".
  2. The application requests the use of an Exchange Server resource.
  3. The Exchange server challenges the application to authenticate itself. The Exchange server does this by passing the application a random value.
  4. IIS uses the account from step 1 ("YourDOMAIN\AnonUser") and the password of the user that is stored in IIS to generate a hash from the random value.
  5. IIS passes the account and the hash back to Exchange.
  6. Exchange Server sends the account ("YourDOMAIN\AnonUser"), the hash, and the original random value to a primary or backup domain controller.
  7. The domain controller generates its own hash from the account and the random value that Exchange passed to the domain controller.
  8. The domain controller compares the following hashes:
    • The hash that the domain controller generated.
    • The hash that Exchange passed to the domain controller.
    If the hashes are the same, the domain controller tells Exchange to allow the user access to the resource.

    The critical step is to perform the following actions:
    • Provide IIS with an account into which to load the application.
    • Provide the correct credentials.
    If the system is not correctly configured, the application will not be granted access to the Exchange resource.

REFERENCES

See the following articles in the Microsoft Developer Network (MSDN) Library:

Getting Started with ASP Messaging
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnasp/html/msdn_aspmess.asp

Implementing a Secure Site with ASP
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsecure/html/msdn_implement.asp

Authentication and Security for Internet Developers
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnauth/html/dnauth_security.asp

Modification Type:MajorLast Reviewed:8/23/2005
Keywords:kbFAQ kbHOWTOmaster kbMsg KB195681 kbAudDeveloper
©2004 Microsoft Corporation. All rights reserved.